Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

2012-11 Security Bulletin: NSM Products: Multiple vulnerabilities in Network and Security Manager products

0

0

Article ID: JSA10543 SECURITY_ADVISORIES Last Updated: 09 May 2013Version: 2.0
Legacy Advisory Id:
PSN-2012-11-767
Product Affected:
Network and Security Manager
NSM3000
NSMXpress/NSMXpress HA
Problem:

Multiple vulnerabilities have been fixed in Juniper Networks NSM products (NSMXpress, NSMXpress II, NSM3000, and NSMserver) as a result of upgrading base operating system to CentOS 5.7 on NSM Appliances and RedHat EL 5.7 on software NSM installations.

Following is a list of known CVE ids that may pose a security risk to NSM products, which have been fixed as a result of this software upgrade:

ComponentCVECVSSv2
base
score
CVSSv2 Vector
Apache APR-utilCVE-2009-00234.3AV:N/AC:M/Au:N/C:N/I:N/A:P
CVE-2009-19557.8AV:N/AC:L/Au:N/C:N/I:N/A:C
CVE-2009-19566.4AV:N/AC:L/Au:N/C:P/I:N/A:P
CVE-2009-241210AV:N/AC:L/Au:N/C:C/I:C/A:C
CVE-2010-16235AV:N/AC:L/Au:N/C:N/I:N/A:P
CVE-2011-04194.3AV:N/AC:M/Au:N/C:N/I:N/A:P
ISC BINDCVE-2007-29264.3AV:N/AC:M/Au:N/C:N/I:P/A:N
CVE-2011-24645AV:N/AC:L/Au:N/C:N/I:N/A:P
Linux KernelCVE-2011-11622.1AV:L/AC:L/Au:N/C:P/I:N/A:N
CVE-2011-22032.1AV:L/AC:L/Au:N/C:N/I:N/A:P
CVE-2011-24844.9AV:L/AC:L/Au:N/C:N/I:N/A:C
CVE-2011-24942.1AV:L/AC:L/Au:N/C:P/I:N/A:N
CVE-2011-26954.9AV:L/AC:L/Au:N/C:N/I:N/A:C
CVE-2011-27235.7AV:A/AC:M/Au:N/C:N/I:N/A:C
CVE-2011-41102.1AV:L/AC:L/Au:N/C:N/I:N/A:P
libxml2CVE-2010-40084.3AV:N/AC:M/Au:N/C:N/I:N/A:P
CVE-2011-19449.3AV:N/AC:M/Au:N/C:C/I:C/A:C
CVE-2011-28346.8AV:N/AC:M/Au:N/C:P/I:P/A:P
CVE-2011-39055AV:N/AC:L/Au:N/C:N/I:N/A:P
CVE-2011-39197.5AV:N/AC:L/Au:N/C:P/I:P/A:P
OpenSSLCVE-2009-05905AV:N/AC:L/Au:N/C:N/I:N/A:P
CVE-2009-13775AV:N/AC:L/Au:N/C:N/I:N/A:P
CVE-2009-13785AV:N/AC:L/Au:N/C:N/I:N/A:P
CVE-2009-13795AV:N/AC:L/Au:N/C:N/I:N/A:P
CVE-2009-13865AV:N/AC:L/Au:N/C:N/I:N/A:P
CVE-2009-13875AV:N/AC:L/Au:N/C:N/I:N/A:P
CVE-2009-324510AV:N/AC:L/Au:N/C:C/I:C/A:C
CVE-2009-35555.8AV:N/AC:M/Au:N/C:N/I:P/A:P
CVE-2009-43555AV:N/AC:L/Au:N/C:N/I:N/A:P
CVE-2010-04334.3AV:N/AC:M/Au:N/C:N/I:N/A:P
CVE-2010-41804.3AV:N/AC:M/Au:N/C:N/I:P/A:N
PHPCVE-2007-39966.8AV:N/AC:M/Au:N/C:P/I:P/A:P
PostgreSQLCVE-2006-55404AV:N/AC:L/Au:S/C:N/I:N/A:P
CVE-2006-55414AV:N/AC:L/Au:S/C:N/I:N/A:P
CVE-2006-55424AV:N/AC:L/Au:S/C:N/I:N/A:P
CVE-2007-05558.5AV:N/AC:L/Au:S/C:C/I:N/A:C
CVE-2007-05566.6AV:N/AC:H/Au:S/C:C/I:N/A:C
CVE-2010-40156.5AV:N/AC:L/Au:S/C:P/I:P/A:P

These issues were discovered in a variety of ways, and all are known publicly.

Please refer to NSM release notes for a complete list of CVEs that were fixed.

Solution:

These vulnerabilities are fixed in:
NSM version 2012.1 and later
NSM version 2011.4s4 and later
NSM version 2010.3s7 and later

Note CentOS or RedHat version should also be upgraded to 5.7.
CentOS 5.7 upgrade file available from NSM 2012.1 download page is applicable to NSM 2011.x and NSM 2010.x as well. Upgrade instructions are available in NSM Installation Guide.


Workaround:

There are no known workarounds that can mitigate all of the issues listed in this bulletin.

Use access lists or firewall filters to limit access to the NSM network management server only from trusted hosts.

Severity Level:
Critical
Severity Assessment:
The highest CVSSv2 Score of these vulnerabilities is 10 (AV:N/AC:L/Au:N/C:C/I:C/A:C)

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search